Automation

 View Only
  • 1.  Invoke-VMScript not authenticating against RedHat IdM

    Posted Mar 05, 2023 01:35 AM

    Does anyone have experience getting Invoke-VMScript working when authenticating against RedHat IdM?

    I'm actually using Invoke-VMScriptPlus and during development I was using root with no issues. When I use the script outside of my lab I'll need to login against RedHat IdM (cached credentials on the guest OS actually) and it's failing to authenticate.

    This IdM thing uses IPA client and kerberos I think, I'm not a linux expert by any means. Caching is turned in the client OS and if I disconnect the network I'm still able to login at the console (a disconnected network is the scenario in which my script will run to fix network settings among other things)

    Based on VMware KB 78251  (and this other Veritas one  although I'm not using Veritas) I think my issue is with the /etc/pam.d/vmtoolsd file but can't find a config that seems to work.

    Anyone know the secret sauce to get this working with RHEL 6, 7 an 8?



  • 2.  RE: Invoke-VMScript not authenticating against RedHat IdM

    Posted Mar 05, 2023 09:11 AM

    Does the Verbose switch on Invoke-VMScriptPlus give any clues?



  • 3.  RE: Invoke-VMScript not authenticating against RedHat IdM

    Posted Mar 05, 2023 09:51 PM

    Here's the output of verbose:

    VERBOSE: 2023/03/05 11:23:21 Get-View Finished execution
    VERBOSE: 2023/03/05 11:23:21 Get-View Finished execution
    VERBOSE: 2023/03/05 11:23:21 Get-View Finished execution
    VERBOSE: 2023/03/05 11:23:21 Get-View Finished execution
    VERBOSE: No GuestOSType value provided. Trying to determine now.
    VERBOSE: It's a Linux guest OS
    VERBOSE: Seems to be a Linux guest OS
    VERBOSE: Add SheBang #!/usr/bin/env bash
    Exception calling "CreateTemporaryDirectoryInGuest" with "5" argument(s): "Failed to authenticate with the guest operating system using the supplied credentials."
    At C:\Users\redacted\Invoke-VMScriptPlus.ps1:406 char:104
    + ... oraryDirectoryInGuest($moref, $auth, "$($env:USERNAME)_$($PID)", $nul ...
    + ~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : VimException

    VERBOSE: Created temp folder in guest OS
    VERBOSE: Encountered a problem creating the script file in the guest OS
    Exception calling "CreateTemporaryFileInGuest" with "5" argument(s): "Failed to authenticate with the guest operating system using the supplied credentials." Exception calling
    "CreateTemporaryDirectoryInGuest" with "5" argument(s): "Failed to authenticate with the guest operating system using the supplied credentials."[0].Exception.Message
    At C:\Users\redacted\Invoke-VMScriptPlus.ps1:423 char:17
    + Throw "$error[0].Exception.Message"
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OperationStopped: (Exception calli...ception.Message:String) [], RuntimeException
    + FullyQualifiedErrorId : Exception calling "CreateTemporaryFileInGuest" with "5" argument(s): "Failed to authenticate with the guest operating system using the supplied credentials." Exception calling "CreateTemporaryDirectoryInGuest" with "5" argument(s): "Failed to authenticate with the guest operating system using the supplied credentials."[0].Exception.Message

     

    And the vmware.log from ESX for the log:


    2023-03-05T16:23:22.120Z| vmx| I125: VigorTransportProcessClientPayload: opID=20889671-d8-ebc3 seq=10866: Receiving GuestOps.CreateTemporaryDirectory request.
    2023-03-05T16:23:25.095Z| vcpu-12| I125: VigorTransport_ServerSendResponse opID=20889671-d8-ebc3 seq=10866: Completed GuestOps request with messages.
    2023-03-05T16:23:25.392Z| vmx| I125: VigorTransportProcessClientPayload: opID=338db5ac-c0-ebda seq=10877: Receiving GuestOps.CreateTemporaryFile request.
    2023-03-05T16:23:25.865Z| vcpu-13| I125: VigorTransport_ServerSendResponse opID=338db5ac-c0-ebda seq=10877: Completed GuestOps request with messages.

     

    From inside the guest OS (/var/log/vmware-vmsvc-root.log):

    [2023-03-05T16:23:21.746Z] [ message] [vix] VixTools_ProcessVixCommand: command 182
    [2023-03-05T16:23:21.746Z] [ message] [VCGA] Pref_Init: Using '/etc/vmware-tools/vgauth.conf' as preferences filepath
    [2023-03-05T16:23:21.746Z] [ message] [VCGA] VGAuth 'build-15389592' initialized for application 'vmtoolsd'. Context created at 0x5565393446b0
    [2023-03-05T16:23:21.747Z] [ message] [VCGA] PAM up and running.
    [2023-03-05T16:23:24.652Z] [ warning] [VCGA] PAM error: Permission denied (6), mapped to VGAuth error 12
    [2023-03-05T16:23:24.652Z] [ warning] [vix] VixToolsImpersonateUser: impersonation failed (3050)
    [2023-03-05T16:23:24.652Z] [ message] [vix] VixToolsCreateTempFileInt: opcode 182 returning 3050
    [2023-03-05T16:23:24.652Z] [ message] [vix] ToolsDaemonTcloReceiveVixCommand: command 182, additionalError = 4294967294
    [2023-03-05T16:23:25.003Z] [ message] [vix] VixTools_ProcessVixCommand: command 181
    [2023-03-05T16:23:25.421Z] [ warning] [VCGA] PAM error: Permission denied (6), mapped to VGAuth error 12
    [2023-03-05T16:23:25.421Z] [ warning] [vix] VixToolsImpersonateUser: impersonation failed (3050)
    [2023-03-05T16:23:25.421Z] [ message] [vix] VixToolsCreateTempFileInt: opcode 181 returning 3050
    [2023-03-05T16:23:25.421Z] [ message] [vix] ToolsDaemonTcloReceiveVixCommand: command 181, additionalError = 4294967292

     



  • 4.  RE: Invoke-VMScript not authenticating against RedHat IdM

    Posted Mar 05, 2023 09:57 PM
      |   view attached

    Not sure why my replies with the outputs are not appearing so attaching it as a txt instead.

    Attachment(s)

    txt
    logs.txt   4 KB 1 version


  • 5.  RE: Invoke-VMScript not authenticating against RedHat IdM

    Posted Mar 06, 2023 06:26 AM

    Looks like the account you are using doesn't have the required permissions to create a directory in that location.



  • 6.  RE: Invoke-VMScript not authenticating against RedHat IdM

    Posted Mar 06, 2023 10:40 AM

    Sounds a bit like the open-vm-tools #Issue345, where the cause was characters (like $) in the password.



  • 7.  RE: Invoke-VMScript not authenticating against RedHat IdM

    Posted Mar 06, 2023 12:03 PM

     wrote:

    Sounds a bit like the open-vm-tools #Issue345, where the cause was characters (like $) in the password.


    I'm passing credentials as pscredential so I assume special characters in the password aren't an issue. (That's for testing this issue, in my real script I take the pscredential and pass the username and password as $mycred.username and $mycred.password since my script works for Windows too and I need to adjust the username in certain cases)



  • 8.  RE: Invoke-VMScript not authenticating against RedHat IdM

    Posted Mar 06, 2023 12:43 PM

    Did you already try with another account?
    Which one are you using currently? The 'root' account? Is that enabled?
    Did you already try with a simple command in the ScriptText parameter, like for example '/bin/sudo ls'?



  • 9.  RE: Invoke-VMScript not authenticating against RedHat IdM

    Posted Mar 06, 2023 02:06 PM

     wrote:

    Did you already try with another account?
    Which one are you using currently? The 'root' account? Is that enabled?
    Did you already try with a simple command in the ScriptText parameter, like for example '/bin/sudo ls'?


    I modified the script to create the temp directory in /tmp/ so there should not be any permission issues.

    When the following code is run where $c is set to root, everything is great.

    When $c is set to my IdM user it fails. Note that my account is not in /etc/passwd because it's not a local account

    $c = Get-Credential
    . 'C:\redacted\Invoke-VMScriptPlus2.ps1'
    
    $pScript = @'
    pwd
    ls -l
    '@
    
    $sCode = @{
    VM = "myvm"
    GuestCredential = $c
    SkipCertificateCheck = $true
    ScriptType = 'bash'
    ScriptText = $pScript
    }
    
    Invoke-VMScriptPlus  -Verbose

     

    The contents of /etc/pam.d/vmtoolsd:

    #%PAM-1.0
    auth substack password-auth
    auth include postlogin
    account required pam_nologin.so
    account include password-auth

    I've tried adding the line in the VMware KB (and rebooted the vm) but it changed nothing. 



  • 10.  RE: Invoke-VMScript not authenticating against RedHat IdM

    Posted Mar 06, 2023 02:27 PM

    I guess you mean KB78251?

    But it seems to me that this is more of an open-vm-tools issue with IdM.
    And I'm afraid I'm a noob concerning all things PAM.

    Perhaps you could create an Issue in the open-vm-tools repo
    Or ask the question in the Virtual Machine, Guest OS and VM Tools Discussions community on VMTN.



  • 11.  RE: Invoke-VMScript not authenticating against RedHat IdM

    Posted Mar 08, 2023 12:28 AM

    Problem solved and it was on the IdM side.

    The github post I made gave me the ideal to check journalctl . I could see authentication was ok but I was getting access denied on the vmtoolsd service.

    I came across this post  where your last reply had the same error I was getting. IdM has some HBAC rules which appeared to limit what service I could "use". I got vmtoolsd added as a test and everything works! Now there's a 90 second delay when running my script if the network is unavailable but that's not a VMware problem